This article is taken from our white paper, ‘Your people and your risks: finding balance in the new normal’ in which we take a step back and look at how the behavioural landscape has shifted so dramatically over the last year.
In this extract, we apply this approach to a concern common to all cybersecurity professionals — phishing.
We’re all told repeatedly that what we can’t measure we can’t manage. And if there’s one thing cybersecurity professionals are desperate to manage, it’s the myriad-headed beast called phishing. After all, no matter how many heads are severed from this most dominant of threats, new mutations are ready to rear up to take their place.
So, we measure the hell out of it. Or rather we measure a facsimile.
We throw sim phish campaign after sim phish campaign at our staff. Fake hydras with which we hope to ‘battle prove’ our colleagues while satisfying our need for data. Then we pore over the entrails of:
Click-through rates.
Credentials compromised.
Bad apples caught out.
But the thing we often forget in our quest for metrics is that such measurement is no passive act. You’re measuring more than just exception events, port scans or patch latency. You’re measuring people. And just like the tailor’s tape that causes a sharp intake of breath when too cold, they will notice. And react.
All this means you need to think carefully about your approach when gathering your people-side data. If your ‘ethical’ phishing is conducted cloak-and-dagger – with too little regard for colleagues deceived or the tone taken with the follow-on training – what you gain in graphs you’ll lose in something more precious – trust.
That’s a critical commodity you can’t afford to squander, especially in the midst of a pandemic.
As we’ve outlined in our forthcoming white paper, the need for measurement to answer the question ‘Where on earth am I now?’ has never been greater. It’s vital you understand how your security culture is bearing up in this time of crisis. But it’s just as important that you recognise that your people have never been under greater stress.
So, the need for sensitivity in your people-side metrics is as vital as the urgency in understanding the novel risks of a COVID-transformed world. Which is why recent research on taking a different angle to simulated phishing – emphasising the need for openness and maximising engagement – is so well-timed.
The idea is to cast away the cloak and drop the dagger. Forget about maximising the realism of your campaign by keeping the audience in the dark. Instead, prioritise getting your people completely on board, by involving them in every step of the process. Be inclusive and open.
Techniques that can be leveraged in such ‘open phishing’ include:
Open phishing isn’t the simplest road to take. It requires tricky conversations and careful tailoring. It involves relinquishing some control. But the sharing of ownership, encouraging your people to own both the problem and the solution, will mean that you’ll have the crowd on your side.
Not on your back.
Doing so will also make your people an active defence. And who wouldn’t prefer a chainmail suit to a host of individual ‘weak links’, given today’s threat-heavy and volatile world?
White paper:
‘Your people and your risks: finding balance in the new normal’
Go deeper into the role employees play in your organisation's cybersecurity.
Download your free copy of ‘Your people and your risks: finding balance in the new normal' now.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51
